December 12, 2018 Article

It’s 10 P.M. [Somewhere]—Do You Know Where Your Data Is?

By Susan Tillotson Bunch

Recent surveys confirm general corporate angst about data privacy and security, but the surveys suggest less awareness of who the real bogeyman is and what we should be afraid of when it goes bump in the night. Whether from being bombarded with legitimate news about Russians hacking our democracy or conspiracy theories regarding spying microwaves, when we focus on nefarious external threats, we risk losing sight of the leading root causes of data breaches: ourselves, or at least our employees and contractors. Many incidents that have resulted in substantial losses, both to reputation and resources, can be traced back to negligent insiders and vendors.

In a digital era, when data is king, the keys to success are more likely to be dynamic, understandable, and consistently applied privacy and security programs, not avoiding an evil genius injecting diabolical Cyrillic code. Let’s chat about the state of the kingdom.

The Good, the Bad, and the Ugly

Let’s get the bad and the ugly out of the way first.

The bad: The threats to your business are very real and are not going away any time soon. Cyber  attacks and data breaches are constant threats. As our use of digital platforms increases, the associated risks mount.

The ugly: Cyber criminals abound, and their tactics become more sophisticated and devious over time, limited only by their imagination. Knowledge is power—whether for good or evil. Threats continue to evolve, whether in the form of botnets or ransomware, or in malware disguised as files in portable document format (PDFs). Many continue to fall victim to “older” scams as well. As long as cyber crime remains a lucrative revenue source, often with little up-front cost and few downside risks, businesses will be exposed.

The good: Again, knowledge is power. Malicious outsiders are often successful because they exploit vulnerabilities often unwittingly enabled by negligent insiders, contractors, or policies inconsistently applied or incompatible with one another.

Ridding the world of the digital dark side is unrealistic; “hardening” your outfit’s defenses by continually evolving internal best practices is both realistic and necessary to business continuity.

Consider the following well-known concepts:

  • You are most likely to have a car crash less than 10 miles from home (70 percent of crashes occur in that range, according to the National Transportation Safety Board in 2012).
  • A child is most likely to be abducted by a relative or acquaintance (76 percent) than a stranger (24 percent).
  • You are 1,375 times more likely to die in a car crash than a plane crash. (The odds of dying in plane crash are 1 in 11 million, compared with 1 in 8,000 for a traffic accident).

By analogy:

  • You are most likely to experience a breach “at home.”
  • Your data integrity is more like to be jeopardized by “someone you know.”
  • Your data incidents and breaches are more likely attributable to mundane factors, such as sloppy security practices or carelessness, than to made-for-movie high-profile attacks (and when you do experience the latter, it will often have been facilitated by the former).

Why should this matter? For the same reason that stats matter to drivers, travelers, and parents: Knowing where the risk actually exists empowers you to take appropriate and helpful steps to confront it, mitigate it, or even prevent it.

Before we proceed merrily down this path with a bit of joy in our hearts and a spring in our steps, let me hastily explain that my goal is not to “debunk” the idea of external threats or disavow the existence of sophisticated criminal enterprises that traffic in stolen data, exhort money using ransomware, and hack into sensitive systems, wreaking financial and other havoc on their victims. On the contrary, my passion for data security runs nerdishly deep.

However, the goal of this essay, in keeping with a 30,000-foot perspective, is to highlight how many of the more common threats or “typical” vulnerabilities exploited by the evildoers are remediable or avoidable through the exercise of vigilance and common sense, combined with a dose of prevention.

Hiding in Plain Sight: Where the Real Threats Live

“There are lies, damn lies, and statistics.”
—Mark Twain

I like statistics. They make me feel “comfortable” in positing an inferred fact.

I hate statistics. I recognize their utility for persuading others without a rich contextual understanding of the responses and the resulting ease with which numbers can be manipulated to support any argument.

That being said, I’m now going to offer you a handful of statistics. Keep in mind that available statistics generally reflect reported incidents and breaches. Not all incidents are reportable; not all breaches are publicized. Those that are, however, reflect an unsurprising increase in data breaches and a substantial increase in the number of affected records.

For my purposes, statistics illustrate certain trends that can be simultaneously alarming and comforting. They should alarm you because they show the increasing commonality of data breaches and security incidents and their attendant rising costs. They should comfort you by demonstrating the difference that can be made by increased awareness and relatively inexpensive and simple steps.

Threat number 1—Ignorance or lack of awareness. In 2017, “hacking” was identified as the primary source of data loss or compromise in 60 percent of reported data breaches, according to the Identity Theft Resource Center’s end-of-year analysis. In the business sector, 40 percent of responding organizations reported that their breaches fell in this category. It is important to note that the “hacking” category includes “phishing” and ransomware and malware, all of which exploit human factors.

Although only 11 percent of the reported breaches were attributed to employee error, negligence, or improper disposal or loss of records, these human factors resulted in the exposure of over 145 million records (almost 82 percent of the total exposed records). Another 6 percent of breaches (and roughly 8 million exposed records) reportedly resulted from “accidental” Internet exposure, e.g., the inadvertent posting of records online.

What does that mean? What you don’t know (or what you ignore) can hurt you. In ugly ways.

As I mentioned above, knowledge is power—for both sides. As you review these examples, consider how the outcome might be influenced by simple human factors, including lack of awareness and failure to follow basic security standards.

Ignorance is not bliss. Despite the publicity given to the use of “phishing” and other so-called “social engineering” tactics to gain unauthorized access to systems and resources, people are still getting duped and the dupers are getting better.

Verizon’s 2017 Data Breach Investigations Report found that 1 in 14 were tricked into following a link or opening an attachment—and one-quarter of those were duped more than once.

People still fail to set and protect strong passwords; 80 percent of hacking activities leveraged stolen or weak or guessable passwords.

“Phishing” attacks are not necessarily focused on getting access to the “phished” individual’s identity or information but may be used as a “back door” to install malware or otherwise access company resources.

Although it’s helpful to consider data breaches or cyber attacks as individual, discrete incidents, they often present as multiple linked and evolving events designed to probe for and exploit vulnerabilities, both systemic and human, which may then be used to insert malicious programming, whether for a short-term fraud or a long-term intrusion.

A recent Pew survey reported that, when presented with a list of four password options, roughly 75 percent of respondents could identify the strongest password. That’s encouraging. However, knowledge does not necessarily equal awareness or action.

Only half of these respondents understood what a “phishing” attack is, while the majority assumed that their emails are encrypted by default. Only 10 percent could identify an example of multifactor authentication, even though such methods are of critical importance to log-in security.

Knowing what a strong password looks like is only comforting if you understand a password’s importance in the face of cyber threats.

Threat number 2—Complacence. Small businesses with minimal online presence may feel comfortable that their data is less vulnerable and become complacent. However, in Verizon’s 2017 Data Breach Investigations Report, a whopping 61 percent of data breach victims were businesses with fewer than 1,000 employees. Still not too worried about your small company’s exposure? Think again. While declining, the average cost of a data breach in 2017 was $3.62 million.

Even companies that take steps to protect themselves often expose their data by failing to update security software or by treating the security process as a single-stage, “one and done” procedure. Data privacy and security are better viewed by analogizing to driver safety, where experts recommend that you keep a constant scan of all your vehicle’s mirrors while driving and that you adjust your mirrors when necessary to maximize your ability to avoid an accident.

In other words, privacy and security practices should be treated as constantly evolving cycles: They must be monitored, tested, remedied or patched, and improved on a continuous basis. Those practices should include training employees to recognize the threats they may encounter via phishing and malware, as well as the risk they pose to the organization itself.

The number of computing devices that connect to, or are integrated in, a computing environment; the variety of manufacturers and operating systems; and the frequency with which they change create numerous challenges to security, whether in compatibility, interoperability, or security support.

Even small lapses in security coverage can create vulnerabilities to be exploited with potentially unpleasant outcomes. Huge losses have occurred from failures to promptly address known vulnerabilities. Corporate complacence is one of the cyber criminal’s greatest allies.

Threat number 3—Overcollection or storage. Another threat lies in the data itself. The more personal, sensitive data that a company collects, stores, and retains—whether about employees, consumers, or customers—the greater the damage caused by exposure of the data.

If your marketing team or digital folks adhere to the philosophy that data is king, they should also ensure that it is protected like royalty. If such measures are deemed too costly, consider the average cost of a breach in 2017 (above), not to mention the possible harm to reputation and brand.

Think about your policies on data collection. Why is the data being collected? Is the data up to date and current? Is it really necessary for the stated purpose? If the data falls into sensitive categories—financial, medical, religious, etc.—is it being stored in a responsible manner, segregated from other data, properly classified and with access restricted to those who need to know it? Do you have policies in place to effectively dispose of information once it has served its purpose? Data minimization can help reduce risk in the event of a breach.

Threat number 4—Physical assets in a digital world. Portable media, removable hard drives, laptop computers, and phones are all risks if proper security measures are not in place. Flash drives are effortlessly portable and easily misplaced. Once out of service, hard drives must be disposed of or destroyed properly to ensure against improper access to their data.

You outsourced the destruction of those drives? Great! Did you adequately vet the vendor and require strong contractual protection? Take a lesson from the United Kingdom hospital whose trusted information technology vendor directed an employee to destroy 1,000 hard drives, roughly a third of which ended up on eBay. Can you guess who was stuck with the bill for £325,000 (roughly $420,000) in fines? (Hint: not the winning bidders.)

On this side of pond, a health insurer was hit with a $3 million fine, among other penalties, after a security guard employed by its security contractor stole unencrypted laptops, exposing 1.2 million sensitive records.

Don’t forget about all the road warriors either. Each week in the United States alone, 12,000 laptops are lost or stolen, just from airports. Do your employees store or access company information using their laptops? If so, in the wrong hands, the laptops become potential tools to tamper with systems or system configuration, or to download and distribute sensitive data. (If you aren’t so sure, reread threat number 1 above and consider the likelihood that the laptops are adequately protected or encrypted.)

Threat number 5—Ignoring bit players. Rounding out this brief list, let’s not forget the behind-the-scenes folks. Security and privacy should extend throughout an enterprise, including backup sites and data centers. The same concepts should be applied to physical security considerations, whether in the form of user entry access controls, cages around servers, or vaults for the most sensitive and proprietary material.

Conclusion

Of course, depending on your needs, there are various tools in your data privacy and security tool kit for reducing risk, whether by outsourcing critical functions, insuring against certain types of loss, relying on only heavily vetted trusted vendors, and more. However, from our lofty view of your kingdom at 30,000 feet, we are just skimming the subject. Every business should do a fact-specific audit to understand and guard against its specific security and privacy risks.

Even from this high perch, however, you can see that threats to data security and privacy aren’t diminishing. In fact, the costs and consequences of breaches and incidents continue to rise dramatically. As a legal advisor, you won’t likely be faced with single-handedly tracking down and foiling a digital threat (if you do, however, a book deal or miniseries may be in your future). However, the more we counsel our clients to raise awareness and instill a stronger security-minded culture at all levels, the greater the chances of preventing some of most common vulnerabilities that can be exploited to devastatingly bad press and economic woes.
 

Susan Tillotson Bunch is a partner with Thomas & LoCicero LP in Tampa, Florida.


Copyright © 2018, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).